From: kindloaf@gmail.com (Hong) Date: Fri, 29 Aug 2008 16:53:53 -0400 Subject: [refpolicy] Parsing Binary Ref Policy In-Reply-To: <1220011932.22710.29.camel@gorn.columbia.tresys.com> References: <1220011932.22710.29.camel@gorn.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Thanks for you explanation. Now I am trying to compile the current refpolicy (use "apt-get source refpolicy" to get the policy source). After "make policy", "make load", "make restorelabels", I restarted the machine. Now ubuntu doesn't boot. Following is the screenshot: =8<========================================= Starting up ... Loading, please wait... [ 14.623245] sd 0:0:0:0: [sda] Assuming drive cache: write through [ 14.623882] sd 0:0:0:0: [sda] Assuming drive cache: write through kinit: name_to_dev_t(/dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63def) = s da5(8,5) kinit: trying to resume from /dev/disk/by-uuid/2896d9f5-f576-4f35-8abd-277710a63 def kinit: No resume image, doing normal boot... exec: 7: /etc/init.d/rcS: Permission denied init: rcS main process (2326) terminated with status 2 init: rc-default main process (2328) terminated with status 1 =8<========================================= I used ubuntu live CD and found nothing in /var/log/message. (there is no single entry since last boot) And if I disable SELinux by turning off the kernel option, it can boot. Is there any clue how to solve this problem? Hong On Fri, Aug 29, 2008 at 8:12 AM, Christopher J. PeBenito < cpebenito@tresys.com> wrote: > On Thu, 2008-08-28 at 23:54 -0400, Hong wrote: > > I am trying to parse the refpolicy under ubuntu 8.04. I > > used /etc/selinux/refplicy/policy/policy.22. The size of the binary > > policy is about 360K(accurate size is 360296). > > > > Then I use "dispol" tool in checkpolicy to parse the policy. However > > I feel that the parsing result is not correct. There are many > > domains missing in the parse result. There is no htttpd domain, no > > ftpd domain... > > > > And the access vector really confuses me. For example, I think the > > domain insmod_t should be entered through insmod, rmmod, ... But from > > the policy, domain insmod_t has the entrypoint privilege over a lot > > of types: hplip_etc_t, lpd_tmp_t, proc_afs_t, pam_tmp_t, ... (there > > are more than 300 of them). > > > > Did I do anything wrong? And if I am getting the correct binary > > policy, why the entrypoint privilege is configure this way? > > The insmod_t domain has the entrypoint permission on all files because > it is unconfined in the ubuntu policy. > > -- > Chris PeBenito > Tresys Technology, LLC > (410) 290-1411 x150 > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20080829/79e2b1e8/attachment.html